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CLAIMS 

The following listing of claims lists all of the pending claims, and supersedes all prior 
listings, and versions, of claims in this application. 

LISTING OF CLAIMS: 

1 . (Currently Amended) A method for assessing and/or managing risks for an organization, 
comprising the steps of: 

[[(a)]] inventorying a plurality of assets of the organization, wherein each asset is defined 
to be one of an electronic asset type and a location asset type, and wherein the electronic asset 
type includes computers and networking equipment therefor and the location asset type includes 
physical locations where the electronic asset types are placed; 

identifying the plurality of assets, wherein at least a portion of the plurality of assets arc 
identified by utilizing a computer to electronically scan the plurality of assets via a network; 

storing the identified assets electronically in the computer; 

[[(b)]] identifying at least one criterion defining a security objective of the organization 
and electronically storing the at least one identified criterion in the computer ; 

[[(c)]] identifying one or more inventoried assets that relate to the identified criterion by 
utilizing the computer ; 

[[(d)]] formulating one or more metric equations for each identified criterio n by utilizing 
the computer , each metric equation being defined, in part, by the one or more identified assets, 
wherein each metric equation yields an outcome value when one or more measurements are 
made relating to the identified assets; and 

[[(e)]] assessing the risk to the organization based on the measured values of the one or 
more metric equations by utilizing the computer . 

2. (Canceled) 
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3. (Currently Amended) The method of claim 2 claim 1 , wherein the step of identifying the 
plurality of assets further comprises at least one of: 

electronically scanning the plurality of assets; 

interviewing members of the organization to identify the plurality of assets; and 
manually identifying the plurality of assets. 

4. (Original) The method of claim 1, wherein the plurality of assets are defined to be one of 
a user type, a user population type, a data type and a network type in addition to the electronic 
type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

5. (Original) The method of claim 4, further comprising the step of: 
establishing at least one relationship between the plurality of assets. 

6. (Previously Presented) The method of claim 5, wherein the step of establishing the at 
least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be in 
another asset type. 

7. (Previously Presented) The method of claim 5, wherein the step of establishing the at 
least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be in the 
same asset type. 

8. (Currently Amended) The method of claim 5, wherein the stop (c) the step of identifying 
one or more inventoried assets further comprises the step of: 

identifying one or more inventoried assets that relate to the identified criterion based on 
the at least one established relationship between the plurality of assets. 
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9. (Currently Amended) A system for assessing and/or managing risks for an organization, 
comprising: A computing system configured to: 

(a) means for identifying and storing identify a plurality of assets of the organization, 
wherein each asset is defined to be one of an electronic asset type and a location asset type, 
[[and]] wherein the electronic asset type includes computers and networking equipment therefore 
and the location asset type includes physical locations where the electronic asset types are 
place d, and store the identified assets into a database ; 

(b) means for identifying identify a plurality of criteria, each criterion defining a security 
objective of the organization; 

(c) moans for identifying identify a plurality of inventoried assets that relate to each 
identified criterion; and 



criterion, each metric equation being defined, in part, by the one or more identified assets, 
wherein each metric equation yields an outcome value when one or more measurements are 
made relating to the identified assets, thereby allowing a user to assess the risk to the 
organization based on the measured values of the one or more metric equations. 

10. (Canceled) 

1 1 . (Currently Amended) The computing system of claim 9, whoroin the moans for 
identifying the plurality of assets comprises at least one of: further configured to identify the 
plurality of assets by electronically scanning at least a portion of the plurality of assets via a 
network. 




formulate one or more metric equations for each identified 



for oloctronically scanning scan tho plurality of assets; 

for interviewing members of the organization to identify the plurality of assets; 



for manually identifying tho plurality of assots. 
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12. (Currently Amended) The computing system of claim 9, wherein the plurality of assets 
are defined to be one of a user type, a user population type, a data type and a network type in 
addition to the electronic type and the location type, wherein the user type relates to an 
individual user and the user population type relates to a group of users. 

1 3 . (Currently Amended) The computing system of claim 12, further comprising: configured 
to means for establishing establish at least one relationship between the plurality of assets. 

14. (Currently Amended) The computing system of claim 13, wherein the means for 
establishing further configured to establish the at least one relationship further comprises: 
means for by linking a first asset defined to be in one asset type with a second asset defined to be 
in another asset type. 

1 5 . (Currently Amended) The computing system of claim 1 3 , whoroin the moans for 
establishing further configured to establish the at least one relationship further comprises: 
m e ans for by linking a first defined to be in one asset type with a second asset defined to be in 
the same asset type. 

16. (Currently Amended) The computing system of claim 13, wherein means (c) further 
comprises: 

means for identifying further configured to identify one or more inventoried assets that 
relate to the identified criterion based on the at least one established relationship between the 
plurality of assets. 

17. (Original) A system for assessing and/or managing risks for an organization, comprising: 
a computer configured to identify a plurality of assets of the organization, wherein each 

asset is defined to be one of an electronic asset type and a location asset type, and wherein the 
electronic asset type includes computers and networking equipment therefor and the location 
asset type includes physical locations where the electronic asset types are placed; 

a database configured to store the identified assets along with their asset types; 



6 



Application No. 1 0/032,6 1 0 Docket No.: 2007046 1 

Amendment Accompanying A Request For Continued 

Examination dated November 24, 2008 
Response to Advisory Action dated October 23, 2008 

means for identifying at least one criterion defining a security objective of the 
organization, wherein the computer is further configured to identify one or more inventoried 
assets that relate to the identified criterion and configured to formulate one or more metric 
equations for each identified criterion, each metric equation being defined, in part, by the one or 
more identified assets, wherein each metric equation yields an outcome value when one or more 
measurements are made relating to the identified assets, thereby allowing a user to assess the risk 
to the organization based on the measured values of the one or more metric equations. 

18. (Original) The system of claim 17, wherein the computer is further configured to: 
electronically scan the plurality of assets; 

interview members of the organization to identify the plurality of assets; and 
manually identify the plurality of assets. 

19. (Original) The system of claim 17, wherein the plurality of assets are defined to be one of 
a user type, a user population type, a data type and a network type in addition to the electronic 
type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

20. (Original) The system of claim 19, wherein the computer is further configured to 
establish at least one relationship between the plurality of assets. 

21 . (Previously Presented) The system of claim 20, wherein the computer is further 
configured to link a first asset defined to be in one asset type with a second asset 
defined to be in another asset type. 

22. (Previously Presented) The system of claim 20, wherein the computer is further 
configured to link a first asset defined to be in one asset type with a second asset 
defined to be in the same asset type. 
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23. (Original) The system of claim 20, wherein the computer is further configured to identify 
one or more inventoried assets that relate to the identified criterion based on the at least one 
established relationship between the plurality of assets. 

24. (Original) A computer readable medium including instructions being executed by one or 
more computers, the instructions instructing the one or more computers for assessing and/or 
managing risks for an organization, the instructions comprising implementation of the steps of: 

(a) inventorying a plurality of assets of the organization, wherein each asset is defined to 
be one of an electronic asset type and a location asset type, and wherein the electronic asset type 
includes computers and networking equipment therefor and the location asset type includes 
physical locations where the electronic asset types are placed; 

(b) identifying at least one criterion defining a security objective of the organization; 

(c) identifying one or more inventoried assets that relate to the identified criterion; and 

(d) formulating one or more metric equations for each identified criterion, each metric 
equation being defined, in part, by the one or more identified assets, wherein each metric 
equation yields an outcome value when one or more measurements are made relating to the 
identified assets, thereby allowing a user to assess the risk to the organization based on the 
measured values of the one or more metric equations. 

25. (Original) The medium of claim 24, wherein the step (a) comprises the step of: 
identifying the plurality of assets and storing the identified assets into a database. 

26. (Original) The medium of claim 25, wherein the step of identifying the plurality of assets 
comprises at least one of: 

electronically scanning the plurality of assets; 

interviewing members of the organization to identify the plurality of assets; and 
manually identifying the plurality of assets. 
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27. (Original) The medium of claim 24, wherein the plurality of assets are defined to be one 
of a user type, a user population type, a data type and a network type in addition to the electronic 
type and the location type, wherein the user type relates to an individual user and the user 
population type relates to a group of users. 

28. (Original) The medium of claim 27, further comprising the step of: 
establishing at least one relationship between the plurality of assets. 

29. (Previously Presented) The medium of claim 28, wherein the step of establishing the at 
least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be in 
another asset type. 

30. (Previously Presented) The medium of claim 28, wherein the step of establishing the at 
least one relationship further comprises the step of: 

linking a first asset defined to be in one asset type with a second asset defined to be in the 
same asset type. 

3 1 . (Original) The medium of claim 28, wherein the step (c) further comprises the step of: 
identifying one or more inventoried assets that relate to the identified criterion based on 

the at least one established relationship between the plurality of assets. 



